On 05/04/18 22:51, gevisz wrote: > 2018-04-05 16:14 GMT+03:00 Bill Kenworthy <bi...@iinet.net.au>: >> On 05/04/18 18:28, gevisz wrote: >>> 2018-04-05 12:51 GMT+03:00 gevisz <gev...@gmail.com>: >>>> 2018-04-05 1:02 GMT+03:00 Grant Taylor <gtay...@gentoo.tnetconsulting.net>: >>>> On 04/04/2018 02:18 PM, gevisz wrote: >>>>> Assuming that NAT is in play on OR and IR (worst case), then just about >>>>> /any/ form of VPN initiating from the outside will be fraught with uphill >>>>> battles. >>>> As far as I understand, the connection would be initiated from the Host. >>> A small correction after a call to the friend: the VPN server should >>> be installed on the Client and the VPN client should be installed on the >>> Host. >>> >>> Becaule of the same reason it is impossible to set up VPN server on the IR. >>> >>> Moreover, IR is too simple to use it for setting up any server other then >>> NAT >>> and, may be, port-forwarding. >>> >> Might need a third party vpn server in the cloud that both ends connect >> to as clients and route between? A stunserver like VoIP uses will help >> there. >> >> Also try a proxytunnel/stunnel using port 443 and use that to bounce >> openvpn or a putty (ssh) port tunnel through the networks https proxy. >> Inefficient but gets ssh, web pages and small downloads through >> problematic networks nicely. Double wrapping in ssl with end-to-end >> protection via openvpn takes care of privacy when MITM SSL proxies are >> used (yes they exist) Note that openvpn can be used peer to peer >> though client to server is a bit more secure. > Thank you for the information. > >> In my setup, the client is windows and the server is gentoo on a dynamic IP. > It is strange because just today I have learned that VPN server should > be set on the host with static IP visible the in Internet. Otherwise a > VPN-client > has no way to connect to the VPN-server. > I am referring to putty as the windows client (my view of the process) - the vpn client is proxytunnel on windows connecting out to the server which is an external stunnel on gentoo from your point of view. The secret is getting the two to talk to each other and thats where it gets interesting - a method I used in the past is internally have a script scraping a webpage (external) and when it gets a change it wants, initiate a connection (IP number change for a permanaent link on a dynamic IP, or other instruction - actually used a html comment on my home web server index page). A more common method is to initiate a test connection every few minutes and close/go back to waiting if there is no connection. Zebedee which I used for years as a port tunnel (very good and flexible) has a mode where it can initiate connections when there is no public visibility. If both ends are behind a secure gateway/NAT - you need a third machine to coordinate the process.
If its all too hard, can you drop a raspberry pi trojan on the network which gets away from the restrictions running windows? At the end of the day, its up to you and the local admins as to how much funny business they will put up with but its just a technical problem in moving packets around. BillK'
